Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ryan_Ryan
Advisor
Jump to solution

Import a trusted CA cert to Gaia OS

Hi,

 

we have our Checkpoint manager behind another device doing HTTPS inspection, what we need is to import its cert as a trusted root ca to the operating system so its trusted, like you would need to do for all Windows/Linux clients behind a checkpoint gateway doing inspection.

 

Is this possible? I have tried adding it to the https inspection blade trusted CA list but it still shows an untrusted error when connecting. 

 

Can we access the cert store on a checkpoint box?

 

cheers

 

1 Solution

Accepted Solutions
genisis__
Leader Leader
Leader

Here is the note I made:

How to get updates working when there is an upstream Proxy doing Deep SSL Inspection:
You will need to export the CA file from the upstream device and then add this to the ca-bundle.crt file in two locations on the Checkpoint Manager (assuming that this is where the issue is).

$CPDIR/conf/ca-bundle.crt <-- This is so that Application level updates can work.
$FWDIR/bin/ca-bundle.crt <-- This is so that GAIA level updates work.

Note this has been tested from a R80.40 SMS. However important to note that the file could change as part of upgrade or jumbo installation.

Additionally the above solution is not supported by TAC.

View solution in original post

(1)
10 Replies
G_W_Albrecht
Legend Legend
Legend

Did you follow sk108202: Best Practices - HTTPS Inspection and use "Update certificate list" option ?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ryan_Ryan
Advisor

Hi yes I have read that, however it's not really my case, my checkpoint manager is not doing https inspection and should have no configuration relating to that, its behind another device doing https inspection (for arguments sakes lets say its not a checkpoint nor a device we have management of and bypassing is not possible), how can I make the manager trust it as a root CA?

Is there access to the gaia system cert store I can drop the certificate in? normal linux systems you can copy and paste the cert to ca-certificates folder but I dont see any such folder on checkpoint 

genisis__
Leader Leader
Leader

I've done something similar, but sure if its applicable in this case.

My requirement was to allow the CP Mgr access to the internet via a Fortigate which was doing https inspection.  Therefore the only way to achieve this was to ensure the Fortigates certificate was trusted by the Mgr.

We had to add the cert in two places, the reason for this was to firstly ensure the Application level could get updates ie. IPS etc, and secondly so that the OS could get updates, ie. Jumbos etc.

The way I got it working was never confirmed as a supported solution by TAC, but at the same time they never really gave me a solution either.

 

Is this what you want to do? 

Ryan_Ryan
Advisor

yes 100% what i need!

 

Could you please share how to do it? thanks!

genisis__
Leader Leader
Leader

Here is the note I made:

How to get updates working when there is an upstream Proxy doing Deep SSL Inspection:
You will need to export the CA file from the upstream device and then add this to the ca-bundle.crt file in two locations on the Checkpoint Manager (assuming that this is where the issue is).

$CPDIR/conf/ca-bundle.crt <-- This is so that Application level updates can work.
$FWDIR/bin/ca-bundle.crt <-- This is so that GAIA level updates work.

Note this has been tested from a R80.40 SMS. However important to note that the file could change as part of upgrade or jumbo installation.

Additionally the above solution is not supported by TAC.

(1)
Ryan_Ryan
Advisor

thank you!! that did the trick.

Max91
Explorer

Hey,

On which machine should you edit the CA-Bundle file mgmt or gateways?  

Do I need to run an update command? for example "rehash_ca_bundle?  

Thank You 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

- mgmt

- no, you add it manually

 

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
emreturkmenler
Contributor

My purpose is to add our local root Certificate as we're having some issues, wondering if this will solve the inspection issue.

Do we just add the root certificate as text to this bundle-ca.crt file and nothing else?

0 Kudos
PhoneBoy
Admin
Admin

Root CA and any intermediate CAs needed to validate the relevant certificates.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events